On Mon, Jun 25, 2001 at 11:48:32PM -0400, Bruce Momjian wrote:
> OK, I get you now. Why not ask the client to do a crypt and compare
> that to pg_shadow. It is better than what we have now for 'password'
> authentication because it encrypts pg_shadow.
>
> The big problem is that you can't do 'crypt' authentication once you
> encrypt pg_shadow, unless we do the double-encription thing, and I think
> it is a bigger win for them to use crypt-authentication than to encrypt
> pg_shadow.
my mods do not require encryption of pg_shadow, unless you want to use
my "password pg_shadow" extension. it is then the responsibility of the
dbadmin to do "CREATE USER username WITH PASSWORD '$1$xxxxxx';
(i have a unix_crypt(text, text) function i can put in contrib, as well
as samba_lm_crypt(text) and samba_nt_crypt(text) for anyone interested)
the current code (without my mods) requires the dbadmin to either play
the lottery and store all passwords in plain-text, or to manipulate
external password files, which causes all manner of issues with regards
to updating (changing) the passwords in the external files.
> The wire is clearly less secure than pg_shadow.
ah, you've not had a client rooted lately.
the wire is far more secure than many default OS installations.
i will not argue that the double-encryption stuff, and MD5 type stuff is
better.
however, forcing the dbadmin to store plain-text passwords in pg_shadow
is at best unwise.
giving them the option of my mods is a reasonable step towards allowing
them to avoid that one-stop-shopping facility for crackers, without breaking
any existing implementations for those who chose to walk what i consider
an unsafe path.
--
[ Jim Mercer jim@reptiles.org +1 416 410-5633 ]
[ Now with more and longer words for your reading enjoyment. ]